Mailing List Archive

Url blacklists? Maybe paste some headers here?



-----Original Message-----
To: users@spamassassin.apache.org
Subject: contact from blacklist

Hi everyone,

lately I get more and more spam from so called contact forms.

Does anyone know a blacklist for this?

Kind regards
Philipp

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 K?ln
Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG K?ln HRB 27711, St.-Nr. 5215 5811 0640
Gesch?ftsf?hrer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

On 11/20/20 6:41 PM, Marc Roos wrote:
>
>
> Url blacklists? Maybe paste some headers here?
>
Not real URL Blacklist.

On my freemail-account i got this kind of email too so i thought maybe there will be a Blacklist for this kind of SPAM.

X-Spam-Flag: NO
X-Spam-Score: 1.901
X-Spam-Level: +
X-Spam-Status: No, score=1.901 tagged_above=-9999 required=5
tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
MIME_HTML_ONLY=0.723] autolearn=no autolearn_force=no
Received: from mail.alnatura.de (mail.alnatura.de [145.253.236.209])
by mailwall.bringe.digionline.de (Postfix) with ESMTPS id F222445BD4
for <postmaster@>; Fri, 20 Nov 2020 13:18:30 +0100 (CET)
Received: from psrvexc03.alnatura.local ([10.11.11.49]:37454 helo=mail.alnatura.de)
by mail.alnatura.de with esmtp (Exim 4.82_1-5b7a7c0-XX)
(envelope-from <noreply@alnatura.de>)
id 1kg5My-0005UX-2H
for postmaster@; Fri, 20 Nov 2020 13:18:28 +0100
Received: from PSRVEXC04.alnatura.local (10.11.11.52) by
PSRVEXC03.alnatura.local (10.11.11.49) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2106.2; Fri, 20 Nov 2020 13:18:28 +0100
Received: from RD0003FF4CBBCD (13.80.108.215) by smtp.alnatura.de
(10.11.11.52) with Microsoft SMTP Server id 15.1.2106.2 via Frontend
Transport; Fri, 20 Nov 2020 13:18:28 +0100
MIME-Version: 1.0
From: noreply@alnatura.de
To: postmaster@
Date: Fri, 20 Nov 2020 13:18:28 +0100
Subject: Kontaktformular Alnatura 20.11.2020 13:18:28
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64
Message-ID: <08fd5fa0-6388-4af1-96c1-9fe93e59fc7a@PSRVEXC04.alnatura.local>

###################

X-Spam-Flag: NO
X-Spam-Score: 1.526
X-Spam-Level: +
X-Spam-Status: No, score=1.526 tagged_above=-9999 required=5
tests=[BAYES_50=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Received: from production331.hipex.io (production331.hipex.io [195.201.187.140])
by mailwall.bringe.digionline.de (Postfix) with ESMTPS id 1E152476FC
for <postmaster@>; Thu, 19 Nov 2020 22:17:10 +0100 (CET)
Received: by production331.hipex.io (Postfix, from userid 2005)
id EA15A7D2DB1; Thu, 19 Nov 2020 22:16:41 +0100 (CET)
To: postmaster@
Subject: =?UTF-8?Q?Danke=20f=C3=BCr=20Ihre=20Kontaktanfrage:=20Mein=20Konto=20/=20?= =?UTF-8?Q?Frage=20zur=20Rechnung=20/=20Ein=20Konto=20erstellen?=
Date: Thu, 19 Nov 2020 21:16:41 +0000
MIME-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Reply-To: noreply@heuts.de

Thanks for contact BLABLALBA

Your Text to us:
SPAM


or is this only a german problem?


Kind regards
Philipp




--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

Philipp Ewald skrev den 2020-11-20 18:52:

> X-Spam-Flag: NO
> X-Spam-Score: 1.526
> X-Spam-Level: +
> X-Spam-Status: No, score=1.526 tagged_above=-9999 required=5
> tests=[BAYES_50=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
> MIME_HTML_ONLY=0.723, URIBL_BLOCKED=0.001]
> autolearn=no autolearn_force=no


http://uribl.com/usage.shtml

urirhssub URIBL_BLOCKED multi.uribl.com. A 1
body URIBL_BLOCKED eval:check_uridnsbl('URIBL_BLOCKED')
describe URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL
was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more
information.
tflags URIBL_BLOCKED net noautolearn

works better if you solve this

nope i will check spamassassin for more "low" volume services....

> URIBL provides public lookups over DNS for low volume usage. If you spam check a large amount of email, or you use a shared DNS platform for resolution, you may receive a response saying the query was refused.

we have a higher usage....




On 11/20/20 7:05 PM, Benny Pedersen wrote:
> Philipp Ewald skrev den 2020-11-20 18:52:
>
>> X-Spam-Flag: NO
>> X-Spam-Score: 1.526
>> X-Spam-Level: +
>> X-Spam-Status: No, score=1.526 tagged_above=-9999 required=5
>>     tests=[BAYES_50=0.8, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
>>     MIME_HTML_ONLY=0.723, URIBL_BLOCKED=0.001]
>>     autolearn=no autolearn_force=no
>
>
> http://uribl.com/usage.shtml
>
> urirhssub       URIBL_BLOCKED   multi.uribl.com.        A   1
> body            URIBL_BLOCKED   eval:check_uridnsbl('URIBL_BLOCKED')
> describe        URIBL_BLOCKED   ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more information.
> tflags          URIBL_BLOCKED   net noautolearn
>
> works better if you solve this

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

Philipp Ewald skrev den 2020-11-20 19:08:
> nope i will check spamassassin for more "low" volume services....
>
>> URIBL provides public lookups over DNS for low volume usage. If you
>> spam check a large amount of email, or you use a shared DNS platform
>> for resolution, you may receive a response saying the query was
>> refused.
>
> we have a higher usage....

then either deny uribl.com in local.cf or make a datafeed to solve it

you can test on http://multirbl.valli.org/lookup/ if the uri is listed
somewhere

On Fri, 20 Nov 2020, Philipp Ewald wrote:

> On my freemail-account i got this kind of email too so i thought maybe there
> will be a Blacklist for this kind of SPAM.

...

> Thanks for contact BLABLALBA
>
> Your Text to us:
> SPAM

This looks like abuse of a web-based feedback form at alnatura.de; they
don't appear to have a CAPTCHA on their feedback form so it's possible
it's being abused by spambots.

Is the source domain (alnatura.de) consistent, just the spammy content
changes? If so, a blacklist_from entry for noreply@alnatura.de might work
while contacting the domain (NOT via the feedback form!) and letting them
know their feedback form is being abused for spam and they should add a
CAPTCHA. Though, they should realize that when they see a ton of spam in
their feedback system. They may just be cursing fate and deleting it.

A BL of domains with abusable feedback forms would be handy, but data
collection and maintenance seems problematic. I don't think one currently
exists.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Men, it has been well said, think in herds; it will be seen that
they go mad in herds, while they only recover their senses slowly,
and one by one. -- Charles MacKay, 1852
-----------------------------------------------------------------------
174 days since the first private commercial manned orbital mission (SpaceX)

Philipp are these spam using things like Google forms for spam? If so,
take a look at KAM.cf on mcgrail.com, we've added a number of rules to
combat those recently.

BTW, anyone willing to test the KAM channel?  We've got it in production
use for a while now.

Regards,
KAM

On 11/20/2020 12:38 PM, Philipp Ewald wrote:
> Hi everyone,
>
> lately I get more and more spam from so called contact forms.
>
> Does anyone know a blacklist for this?
>
> Kind regards
> Philipp
>
--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Fri, 20 Nov 2020, Kevin A. McGrail wrote:

> Philipp are these spam using things like Google forms for spam? If so, take a
> look at KAM.cf on mcgrail.com, we've added a number of rules to combat those
> recently.

There are also Google Docs rules in the base ruleset that should catch
that.

Based on the sample that was posted, it looks to me like abuse of a
web-based feedback form - post a spammy feedback using the email address
of your victim and you spam the victim via the confirmation (and the
domain hosting the feedback form at the same time).

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim I: Pillage, _then_ burn.
-----------------------------------------------------------------------
174 days since the first private commercial manned orbital mission (SpaceX)

Hi,

On 20/11/2020 20:46, Kevin A. McGrail wrote:
> Philipp are these spam using things like Google forms for spam? If so,
> take a look at KAM.cf on mcgrail.com, we've added a number of rules to
> combat those recently.
>
> BTW, anyone willing to test the KAM channel?  We've got it in
> production use for a while now.

I'd like to try the KAM channel. A quick install how-to would be nice too

thanks
Levi

>
> Regards,
> KAM
>
> On 11/20/2020 12:38 PM, Philipp Ewald wrote:
>> Hi everyone,
>>
>> lately I get more and more spam from so called contact forms.
>>
>> Does anyone know a blacklist for this?
>>
>> Kind regards
>> Philipp
>>

On Fri, 20 Nov 2020 10:28:52 -0800 (PST)
John Hardin wrote:

> On Fri, 20 Nov 2020, Philipp Ewald wrote:
>
> > On my freemail-account i got this kind of email too so i thought
> > maybe there will be a Blacklist for this kind of SPAM.
>
> ...
>
> > Thanks for contact BLABLALBA
> >
> > Your Text to us:
> > SPAM
>
> This looks like abuse of a web-based feedback form at alnatura.de;
> they don't appear to have a CAPTCHA on their feedback form so it's
> possible it's being abused by spambots.
...
> A BL of domains with abusable feedback forms would be handy, but data
> collection and maintenance seems problematic.


There's also a variant that used to be a big part of my spam where the
spammer puts a brief message into a display name field during a
sign-up. The confirmation or verification email is then the spam. A lot
of these have a personalised greeting at the top, so it works well.

> On 20 Nov 2020, at 22:23, Levente Birta <blevi.linux@gmail.com> wrote:
>
> I'd like to try the KAM channel. A quick install how-to would be nice too

I would like to test the KAM channel tool.

Thanks,
Andrew

On Fri, Nov 20, 2020 at 7:46 PM Kevin A. McGrail <kmcgrail@apache.org> wrote:

> BTW, anyone willing to test the KAM channel? We've got it in production
> use for a while now.

+1
thanks,
-f

>> Philipp are these spam using things like Google forms for spam? If so, take a look at KAM.cf on mcgrail.com, we've added a number of rules to combat those recently.
on my freemail i got google formular SPAM.

> AM.cf on mcgrail.com

i will have a look - thanks


On 11/21/20 6:08 AM, Andrew Colin Kissa wrote:
>
>
>> On 20 Nov 2020, at 22:23, Levente Birta <blevi.linux@gmail.com> wrote:
>>
>> I'd like to try the KAM channel. A quick install how-to would be nice too
>
> I would like to test the KAM channel tool.
>
> Thanks,
> Andrew

+1

On 11/20/20 8:46 PM, John Hardin wrote:
> On Fri, 20 Nov 2020, Kevin A. McGrail wrote:
>
>> Philipp are these spam using things like Google forms for spam? If so, take a look at KAM.cf on mcgrail.com, we've added a number of rules to combat those recently.
>
> There are also Google Docs rules in the base ruleset that should catch that.
>
> Based on the sample that was posted, it looks to me like abuse of a web-based feedback form - post a spammy feedback using the email address of your victim and you spam the victim via the confirmation (and the domain hosting the feedback form at the same time).
>

--
Philipp Ewald
Administrator

DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Fax: +49 221 6500-690, E-Mail: philipp.ewald@digionline.de

AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain

Informationen zum Datenschutz: www.digionline.de/ds

Hi Philipp

We see them a lot lately. This are all forms which pass on some sort of
user content back to the alleged subscriber during the subscription
process.

So if you can pass a 'firstname' (or any other data) during
subscription, and the form which requests a confirmation for this
subscription includes that data like:
---
Hello 'firstname' thank you for subscribing, please confirm by clicking
the link below.
---

Now of course the attacker might enter the string

'buy cheap RX drugs: https://bit.bly/vl4gr4-4-ch34p'

as firstname and successfully spam this way.

As all kind of different form submission tools are abused, I fear there
is not much you can do except report to the webmaster of the affected
form and also report the email to your choice of DNS Blacklist or URI
blacklist to get either the sender IP or the confirmation URL
blacklisted.

--
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________

On Mon, 23 Nov 2020 08:27:23 +0100
Benoît Panizzon wrote:

> Hi Philipp
>
> We see them a lot lately. This are all forms which pass on some sort
> of user content back to the alleged subscriber during the subscription
> process.
>
> So if you can pass a 'firstname' (or any other data) during
> subscription, and the form which requests a confirmation for this
> subscription includes that data like:
> ---
> Hello 'firstname' thank you for subscribing, please confirm by
> clicking the link below.
> ---
>
> Now of course the attacker might enter the string
>
> 'buy cheap RX drugs: https://bit.bly/vl4gr4-4-ch34p'
>
> as firstname and successfully spam this way.

A lot of confirmation emails display first and last name. Most of those
I saw ended up looking something like this:

Hello Constance wants to see you in 12 hours https://www.swatchpop.com/link?url=https://nfr-52.webself.net k7,

I'm guessing that k7 here would be what the spammer's script entered as
"last name", it's just something unobtrusive. I found this useful because
it was a fixed pattern, always 2 alphanumeric characters.